The Stone Ages of Open Source Security
Ask a developer about how they got into programming, and you learn so much about them.
“I got into programming because we had to do simulations and stuff in MATLAB,” Lorenc said. “And then I switched over to Python because it was similar. And we didn’t need those licenses or whatever that we needed. And then I was like, ‘Oh, this is much faster than you know, ordering parts and going to the machine shop and reserving time,’ so I got into it that way.”
Four years ago, Lorenc stepped into the field of open source security.
“Open source security and supply chain security weren’t buzzwords back then,” Lorenc said. “Nobody was talking about it. And I kind of got paranoid about it.”
Lorenc worked on the Minikube open source project at Google, where he first saw how insecure it could be to work on open source projects. In the interview, he talks about the threats he saw in that work.
It was so odd for Lorenc. State-of-art for open source security was not state of the art at all. It was the stone age.
Lorenc said it felt weird for him to build the first release in MiniKube that did not raise questions about security.
“But I mean, this is like a 200 megabyte Go binary that people were just running as root on their laptops across the Kubernetes community,” Lorenc said. “And nobody had any idea what I put in there if it matched the source on GitHub or anything. So that was pretty terrifying. And that got me paranoid about the space and kind of went down this long rabbit hole that eventually resulted in starting Chainguard.”
Today, the world is burning down, and that’s good for a security startup like Chainguard.
“Yeah, we’ve got a mess of an industry to tackle here,” Lorenc said. “If you’ve been following the news at all, it might seem like the software industry is burning on fire or falling down or anything because of all of these security problems. It’s bad news for a lot of folks, but it’s good news if you’re in the security space.”
Good news, yes, but how does it fit into a larger story?
“Right now, one of our big focuses is figuring out how do we explain where we fit into the bigger landscape,” Lorenc. said. “Because the security market is massive and confusing and full of vendors putting buzzwords on their websites, like zero trust and stuff like that. And it’s pretty easy to get lost in that mess. And so figuring out how we position ourselves, how we handle the branding, the marketing, and making it clear to prospective customers and community members, everything exactly what it is we do and what threats our products mitigate, to make sure we’re being accurate there. And conveying that to our customers. That’s my big focus right now.”